If you had to choose one visualization to aid you in your investigations what would it be?
Some thoughts on ideas:
- Nodal diagram
- Timeline
- Parallel Coordinates
- Heat Map
- Word Cloud
What is the main purpose for the visualization you chose?
Some thoughts:
- Helps understand relationships between events and meta
- Shows changes/abnormalities over time
- SOC Candy
Definitely the nodal diagram - long overdue... In many investigations it is beneficial to see the one-to-many or many-to-many relationships to help explain a scenario to those who are not so savvy in merely looking at meta-key/data only.
Also useful is the Heat Map like there is in the Malware module - however please add the option for any meta key to be analyzed & not limited to a predefined list of meta like there is today. This helps to more quickly differentiate where attention needs to be focused on / drilled into. Helps to identify outliers more quickly as well.
As for parallel coordinates - a good first start already exists - but would like to see it expanded upon / more robust. Perhaps adding a feature such as highlighting a session for a value (or line) that is clicked and then giving the option to drill into just that one session.
Timelining - another very useful feature as we can see events/sessions over time to help explain what happened in an investigation. While the basic session timelining exists from a meta view today, perhaps we could add other display options such as bar graphs, pie charts, etc. (without having do so in the Reporting Engine as it adds extra steps --- maybe link the two?).
Visualizations are a huge value-add for Analysts and are inherently complementary to the Analytics / Investigative process --- especially for investigative reporting that almost always is requested in a true incident. Please continue making improvements in this area...excited to see what the future holds...
Thank you